Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 638741 Details for
Bug 873369
Include distrust information in /etc/pki/tls/certs/ca-bundle.trust.crt
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
patch v1
p-873369 (text/plain), 4.20 KB, created by
Kai Engert (:kaie) (inactive account)
on 2012-11-05 16:39:40 UTC
(
hide
)
Description:
patch v1
Filename:
MIME Type:
Creator:
Kai Engert (:kaie) (inactive account)
Created:
2012-11-05 16:39:40 UTC
Size:
4.20 KB
patch
obsolete
>diff --git a/ca-certificates.spec b/ca-certificates.spec >index 129cdb2..466fc3c 100644 >--- a/ca-certificates.spec >+++ b/ca-certificates.spec >@@ -70,14 +70,22 @@ EOF > ) > ca-bundle.trust.crt > for f in certs/*.crt; do > tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f` >+ distbits=`sed -n '/^# openssl-distrust/{s/^.*=//;p;}' $f` > case $tbits in > *serverAuth*) openssl x509 -text -in "$f" >> ca-bundle.crt ;; > esac >+ targs="" > if [ -n "$tbits" ]; then >- targs="" > for t in $tbits; do > targs="${targs} -addtrust $t" > done >+ fi >+ if [ -n "$distbits" ]; then >+ for t in $distbits; do >+ targs="${targs} -addreject $t" >+ done >+ fi >+ if [ -n "$targs" ]; then > openssl x509 -text -in "$f" -trustout $targs >> ca-bundle.trust.crt > fi > done >diff --git a/certdata2pem.py b/certdata2pem.py >index c22946d..08a6f25 100644 >--- a/certdata2pem.py >+++ b/certdata2pem.py >@@ -79,40 +79,12 @@ for line in open('certdata.txt', 'r'): > if len(obj.items()) > 0: > objects.append(obj) > >-# Read blacklist. >-blacklist = [] >-if os.path.exists('blacklist.txt'): >- for line in open('blacklist.txt', 'r'): >- line = line.strip() >- if line.startswith('#') or len(line) == 0: >- continue >- item = line.split('#', 1)[0].strip() >- blacklist.append(item) >- > # Build up trust database. >-trust = dict() > trustmap = dict() > for obj in objects: > > if obj['CKA_CLASS'] != 'CKO_NSS_TRUST': > continue >- if obj['CKA_LABEL'] in blacklist: >- print "Certificate %s blacklisted, ignoring." % obj['CKA_LABEL'] >- elif obj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_TRUSTED_DELEGATOR': >- trust[obj['CKA_LABEL']] = True >- elif obj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NSS_TRUSTED_DELEGATOR': >- trust[obj['CKA_LABEL']] = True >- elif obj['CKA_TRUST_CODE_SIGNING'] == 'CKT_NSS_TRUSTED_DELEGATOR': >- trust[obj['CKA_LABEL']] = True >- elif obj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_UNTRUSTED': >- print '!'*74 >- print "UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: %s" % obj['CKA_LABEL'] >- print '!'*74 >- sys.exit(1) >- else: >- print "Ignoring certificate %s. SAUTH=%s, EPROT=%s" % \ >- (obj['CKA_LABEL'], obj['CKA_TRUST_SERVER_AUTH'], >- obj['CKA_TRUST_EMAIL_PROTECTION']) > label = obj['CKA_LABEL'] > trustmap[label] = obj > print " added cert", label >@@ -157,26 +129,32 @@ openssl_trust = { > for obj in objects: > if obj['CKA_CLASS'] == 'CKO_CERTIFICATE': > print "producing cert file for " + obj['CKA_LABEL'] >- if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]: >- print " -> untrusted, ignoring" >- continue > fname = obj_to_filename(obj) > f = open(fname, 'w') > trustbits = [] >+ distrustbits = [] > openssl_trustflags = [] >+ openssl_distrustflags = [] > tobj = trustmap[obj['CKA_LABEL']] > for t in trust_types.keys(): > if tobj.has_key(t) and tobj[t] == 'CKT_NSS_TRUSTED_DELEGATOR': > trustbits.append(t) > if t in openssl_trust: > openssl_trustflags.append(openssl_trust[t]) >+ if tobj.has_key(t) and tobj[t] == 'CKT_NSS_NOT_TRUSTED': >+ distrustbits.append(t) >+ if t in openssl_trust: >+ openssl_distrustflags.append(openssl_trust[t]) > f.write("# trust=" + " ".join(trustbits) + "\n") >+ f.write("# distrust=" + " ".join(distrustbits) + "\n") > if openssl_trustflags: > f.write("# openssl-trust=" + " ".join(openssl_trustflags) + "\n") >+ if openssl_distrustflags: >+ f.write("# openssl-distrust=" + " ".join(openssl_distrustflags) + "\n") > f.write("-----BEGIN CERTIFICATE-----\n") > f.write("\n".join(textwrap.wrap(base64.b64encode(obj['CKA_VALUE']), 64))) > f.write("\n-----END CERTIFICATE-----\n") >- print " -> written as '%s', trust = %s, openssl-trust = %s" % (fname, trustbits, openssl_trustflags) >+ print " -> written as '%s', trust = %s, openssl-trust = %s, distrust = %s, openssl-distrust = %s" % (fname, trustbits, openssl_trustflags, distrustbits, openssl_distrustflags) > > >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=638741">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 873369
: 638741